Phishing emails are one of the most popular attack vectors for cybercriminals and have historically targeted small and midsize businesses (SMBs). They attempt to trick employees into revealing sensitive information that attackers can use to access systems and networks that house critical or confidential data.

Phishing, coupled with “pretexting emails"—when cybercriminals target people using existing email chains and context—accounts for 73% of all social engineering security breaches, according to the Verizon 2024 Data Breach Investigations Report. Additionally, business email compromise, a type of phishing, increased by 4% last year and accounted for almost one-third of all cyber insurance claims.

While phishing has not always been successful, the ease of use and broad applicability have made it a go-to scam for cybercriminals. However, new technological developments have made phishing emails much more effective. Incorporating artificial intelligence (AI) into proven tactics has revolutionized phishing, making it more personalized, professional and targeted.

While concrete evidence is sparse on bad actors' implementation of AI, cybercriminals are likely using AI to enhance their attacks. Last year, the San Francisco division of the FBI warned businesses about the escalating threat posed by cybercriminals using AI tools. Microsoft and OpenAI also published research pointing to cybercriminals' use of large language models to replicate human language patterns.

During 2025, we'll continue to see anecdotal evidence of cybercriminals using AI to improve their attacks, making phishing emails easier to generate and harder to detect.

Traditional phishing attempts used to be easy to spot because they included poor grammar, generic templates and easily detectable scams. But AI has upped the sophistication of these emails by creating highly personalized, grammatically flawless and contextually relevant messages at scale and across multiple languages.

AI can scrape a business' social media profiles, corporate websites and publicly available data to create emails tailored to specific individuals. AI-generated phishing emails can even reference recent company news or an employee's LinkedIn post—or mimic a trusted colleague's tone and writing style.

Additionally, AI-powered phishing campaigns can also change based on the recipient's responses or lack thereof. Attackers can use the language and tactics of successful emails and stop using the emails that perform poorly or amend them in search of better results.

These capabilities and refinements make AI-driven phishing emails harder to identify and exponentially increase their success rate, posing a significant threat to SMBs with limited resources to combat advanced attacks.

While clicking on a link in a phishing email may not seem like a significant infraction, that one small click could turn into a larger incident. For instance, a successful phishing attack can enable funds transfer fraud, where cybercriminals redirect an organization's online money transfer so they get the payment instead of the intended recipient. Phishing can also pave the way for a dwelling attack, where a bad actor sits in an organization's systems for long periods to steal data or wreak havoc.

Tools to Mitigate and Prevent AI-Enabled Phishing

Trying to detect and stop AI-powered phishing attacks may sound daunting, but SMBs have tools at their disposal. Here are four security practices that SMBs can implement to protect their organizations:

1) Enable multifactor authentication (MFA). MFA is a process that requires two or more forms of verification to access a system, application or account. Typically, it involves three categories of authentication factors: what you know, like a password; what you have, such as your physical device; and who you are, like your fingerprint.

For example, logging into an account might require both entering a password and verifying a code sent to your phone. If businesses enforce layers of verification, it will greatly reduce the risk of unauthorized access, even if one factor is compromised.

2) Implement authentication protocols. Authentication protocols help prevent email spoofing and ensure only authorized senders use a business domain. A business should implement three vital protocols: sender policy framework (SPF), domain keys identified mail (DKIM), and domain-based message authentication, reporting, and conformance (DMARC). These tools enable businesses to prevent domain spoofing, guaranteeing that only authorized users can send emails from a company's domain and ensuring that emails routed through company services originate from trusted domains.

Most email servers offer free SPF, DKIM, and DMARC options as part of their email hosting plans. However, depending on a business's needs, these may need to be manually configured.

3) Promote security awareness training. Security awareness training equips employees with the knowledge and skills to identify and mitigate potential threats.

Businesses should tell employees to look for the following signs to identify phishing emails:

• Unknown or misspelled sender addresses.
• Emails containing unexpected links or attachments.
• A different "reply to" email address than the sender's .
• Emails that ask you to reply with sensitive information.
  

Focusing on cyber risks can help employees stay informed about timely and relevant risks, such as phishing and social engineering. Businesses can conduct phishing simulations to help ensure their team retains cyber lessons while building confidence in spotting and avoiding phishing attempts.

4) Encourage proactive reporting. Create a system for employees to report suspicious emails so IT or security teams can analyze and mitigate potential threats. When flagged early, teams can block harmful emails across the network before they cause damage. A security-conscious culture that embraces proactive reporting can uplift employee morale and strengthen overall cybersecurity posture.

Leeann Nicolo is an incident response lead at Coalition Incident Response.